linux/drivers
Bart Van Assche 14e3062fb1 scsi: core: Fix a scsi_show_rq() NULL pointer dereference
Avoid that scsi_show_rq() triggers a NULL pointer dereference if called
after sd_uninit_command(). Swap the NULL pointer assignment and the
mempool_free() call in sd_uninit_command() to make it less likely that
scsi_show_rq() triggers a use-after-free. Note: even with these changes
scsi_show_rq() can trigger a use-after-free but that's a lesser evil
than e.g. suppressing debug information for T10 PI Type 2 commands
completely. This patch fixes the following oops:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: scsi_format_opcode_name+0x1a/0x1c0
CPU: 1 PID: 1881 Comm: cat Not tainted 4.14.0-rc2.blk_mq_io_hang+ #516
Call Trace:
 __scsi_format_command+0x27/0xc0
 scsi_show_rq+0x5c/0xc0
 __blk_mq_debugfs_rq_show+0x116/0x130
 blk_mq_debugfs_rq_show+0xe/0x10
 seq_read+0xfe/0x3b0
 full_proxy_read+0x54/0x90
 __vfs_read+0x37/0x160
 vfs_read+0x96/0x130
 SyS_read+0x55/0xc0
 entry_SYSCALL_64_fastpath+0x1a/0xa5

[mkp: added Type 2]

Fixes: 0eebd005dd ("scsi: Implement blk_mq_ops.show_rq()")
Reported-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: stable@vger.kernel.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2017-12-11 21:56:48 -05:00
..
accessibility
acpi Modules updates for v4.15 2017-11-15 13:46:33 -08:00
amba A couple of dma-mapping updates: 2017-11-14 16:54:12 -08:00
android Modules updates for v4.15 2017-11-15 13:46:33 -08:00
ata Merge branch 'for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2017-11-15 14:11:41 -08:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
auxdisplay Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
base DeviceTree for 4.15: 2017-11-14 18:25:40 -08:00
bcma Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
block A couple of dma-mapping updates: 2017-11-14 16:54:12 -08:00
bluetooth
bus arm64 updates for 4.15 2017-11-15 10:56:56 -08:00
cdrom Merge branch 'for-4.15/block' of git://git.kernel.dk/linux-block 2017-11-14 15:32:19 -08:00
char IPMI updates for 4.15 2017-11-15 15:12:28 -08:00
clk
clocksource arm64 updates for 4.15 2017-11-15 10:56:56 -08:00
connector
cpufreq Power management updates for v4.15-rc1 2017-11-13 19:43:50 -08:00
cpuidle Merge branch 'pm-cpuidle' 2017-11-13 01:34:14 +01:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2017-11-14 10:52:09 -08:00
dax
dca
devfreq Merge branches 'pm-devfreq' and 'pm-tools' 2017-11-13 01:41:39 +01:00
dio
dma dmaengine updates for 4.15-rc1 2017-11-14 16:49:31 -08:00
dma-buf
edac Modules updates for v4.15 2017-11-15 13:46:33 -08:00
eisa
extcon USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
firewire Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
firmware Merge branch 'linus' into locking/core, to resolve conflicts 2017-11-07 10:32:44 +01:00
fmc
fpga
fsi
gpio Merge branch 'i2c/for-4.15' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-11-14 17:52:21 -08:00
gpu DeviceTree for 4.15: 2017-11-14 18:25:40 -08:00
hid Modules updates for v4.15 2017-11-15 13:46:33 -08:00
hsi HSI changes for the v4.15 series 2017-11-15 13:35:43 -08:00
hv x86/virt: Add enum for hypervisors to replace x86_hyper 2017-11-10 10:03:12 +01:00
hwmon hwmon updates for v4.15 2017-11-13 08:55:46 -08:00
hwspinlock
hwtracing A couple of configfs cleanups: 2017-11-14 14:44:04 -08:00
i2c Merge branch 'i2c/for-4.15' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-11-14 17:52:21 -08:00
ide Modules updates for v4.15 2017-11-15 13:46:33 -08:00
idle Merge branch 'pm-cpuidle' 2017-11-13 01:34:14 +01:00
iio A couple of configfs cleanups: 2017-11-14 14:44:04 -08:00
infiniband Updates for 4.15 kernel merge window 2017-11-15 14:54:53 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2017-11-14 18:07:18 -08:00
iommu IOMMU Updates for Linux v4.15 2017-11-14 16:43:27 -08:00
ipack
irqchip pci-v4.15-changes 2017-11-15 15:01:28 -08:00
isdn Modules updates for v4.15 2017-11-15 13:46:33 -08:00
leds LED updates for 4.15rc1 2017-11-14 18:09:31 -08:00
lightnvm Merge branch 'for-4.15/block' of git://git.kernel.dk/linux-block 2017-11-14 15:32:19 -08:00
macintosh Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
mailbox Change to POLL api and fixes for FlexRM and OMAP driver 2017-11-15 13:39:18 -08:00
mcb
md Modules updates for v4.15 2017-11-15 13:46:33 -08:00
media Modules updates for v4.15 2017-11-15 13:46:33 -08:00
memory
memstick Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
message Modules updates for v4.15 2017-11-15 13:46:33 -08:00
mfd sound updates for 4.15-rc1 2017-11-14 18:01:46 -08:00
misc pci-v4.15-changes 2017-11-15 15:01:28 -08:00
mmc MMC core: 2017-11-13 10:17:35 -08:00
mtd Modules updates for v4.15 2017-11-15 13:46:33 -08:00
mux
net Updates for 4.15 kernel merge window 2017-11-15 14:54:53 -08:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
ntb
nubus m68k updates for 4.15 2017-11-13 12:10:24 -08:00
nvdimm Merge branch 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-11-15 10:14:11 -08:00
nvme Merge branch 'for-4.15/block' of git://git.kernel.dk/linux-block 2017-11-14 15:32:19 -08:00
nvmem
of pci-v4.15-changes 2017-11-15 15:01:28 -08:00
opp
oprofile
parisc
parport Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
pci pci-v4.15-changes 2017-11-15 15:01:28 -08:00
pcmcia pci-v4.15-changes 2017-11-15 15:01:28 -08:00
perf arm64 updates for 4.15 2017-11-15 10:56:56 -08:00
phy USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
pinctrl This is the bulk of GPIO changes for the v4.15 kernel cycle: 2017-11-14 17:23:44 -08:00
platform Modules updates for v4.15 2017-11-15 13:46:33 -08:00
pnp
power power supply and reset changes for the v4.15 series 2017-11-15 13:37:15 -08:00
powercap
pps
ps3
ptp
pwm
rapidio
ras Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
regulator MMC core: 2017-11-13 10:17:35 -08:00
remoteproc
reset
rpmsg
rtc Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
sbus
scsi scsi: core: Fix a scsi_show_rq() NULL pointer dereference 2017-12-11 21:56:48 -05:00
sfi
sh A couple of dma-mapping updates: 2017-11-14 16:54:12 -08:00
sn
soc USB/PHY patches for 4.15-rc1 2017-11-13 21:14:07 -08:00
spi Merge remote-tracking branches 'spi/topic/sh-msiof', 'spi/topic/slave', 'spi/topic/spreadtrum' and 'spi/topic/tegra114' into spi-next 2017-11-10 21:33:51 +00:00
spmi
ssb
staging Updates for 4.15 kernel merge window 2017-11-15 14:54:53 -08:00
target A couple of configfs cleanups: 2017-11-14 14:44:04 -08:00
tc
tee
thermal
thunderbolt
tty Modules updates for v4.15 2017-11-15 13:46:33 -08:00
uio
usb sound updates for 4.15-rc1 2017-11-14 18:01:46 -08:00
uwb
vfio VFIO Updates for Linux v4.15 2017-11-14 16:47:47 -08:00
vhost Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
video
virt
virtio
vlynq
vme
w1
watchdog MIPS changes for 4.15 2017-11-15 11:36:08 -08:00
xen Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-11-13 17:56:58 -08:00
zorro
Kconfig Merge branches 'pm-cpufreq-sched' and 'pm-opp' 2017-11-13 01:40:52 +01:00
Makefile Merge branches 'pm-cpufreq-sched' and 'pm-opp' 2017-11-13 01:40:52 +01:00